Posted
by
Soulskillon Friday November 11, 2011 @05:03PM
from the good-luck-with-that dept.

gManZboy writes "There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."

Take away those jobs and take into account corporations' lax attitude about security (which doesn't "add value") and you will have a lot of disgruntled people with inside knowledge of vulnerabilities and trade secrets, who may choose to instead profit directly or indirectly from their new line of work.

People won't bite the hand that feeds them, but they will bite the hand that slaps 'em.

If you're selling zero day exploits to the highest bidder, you are beyond caring about the ethics. The study of ethics assumes that someone sincerely, rationally cares about what they should do or not do. Selling zero day exploits to whoever clearly indicates you're not in that camp.

It is common practice among digitally inclined firms to sue white-hats when they contact them about security vulnerabilities in their systems, rather than getting down and patching the holes and fixing the flaws.

It seems to me that it is no wonder that ethically inclined hackers would prefer to avoid approaching firms with their discoveries and instead just sit on them. Personally, I think ethics be gone and let the big lawyered up firms take their attitudes and suffer the consequences.

Contact the firm, set a deadline and then release the zero-day exploit anonymously on the specified date as promised.

It's unfortunate, but the companies have basically made this market a viable option for white-hats looking to solve security issues. It helps protect them against being sued, and they also get money to boot.